Sei sulla pagina 1di 102
Talon ® Enhanced User’s Manual Logicube, Inc. Chatsworth, CA 91311 818 700 8488 Version: 1.0.5
Talon ® Enhanced User’s Manual Logicube, Inc. Chatsworth, CA 91311 818 700 8488 Version: 1.0.5

Talon ® Enhanced User’s Manual

Logicube, Inc. Chatsworth, CA 91311 818 700 8488
Logicube, Inc.
Chatsworth, CA 91311
818 700 8488

Version: 1.0.5 MAN-Talon Enhanced Date: 05/02/2012

Limitation of Liability and Warranty Information Logicube Disclaimer LOGICUBE IS NOT LIABLE FOR ANY INCIDENTAL

Limitation of Liability and Warranty Information

Logicube Disclaimer

LOGICUBE IS NOT LIABLE FOR ANY INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO PROPERTY DAMAGE, LOSS OF TIME OR DATA FROM USE OF A LOGICUBE PRODUCT, OR ANY OTHER DAMAGES RESULTING FROM PRODUCT MALFUNCTION OR FAILURE OF (INCLUDING WITHOUT LIMITATION, THOSE RESULTING FROM: (1) RELIANCE ON THE MATERIALS PRESENTED, (2) COSTS OF REPLACEMENT GOODS, (3) LOSS OF USE, DATA OR PROFITS, (4) DELAYS OR BUSINESS INTERRUPTIONS, (5) AND ANY THEORY OF LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE (OR FROM DELAYS IN SERVICING OR INABILITY TO RENDER SERVICE ON ANY) LOGICUBE PRODUCT.

LOGICUBE MAKES EVERY EFFORT TO ENSURE PROPER OPERATION OF ALL PRODUCTS. HOWEVER, THE CUSTOMER IS RESPONSIBLE TO VERIFY THAT THE OUTPUT OF LOGICUBE PRODUCT MEETS THE CUSTOMER’S QUALITY REQUIREMENT. THE CUSTOMER FURTHER ACKNOWLEDGES THAT IMPROPER OPERATION OF LOGICUBE PRODUCT AND/OR SOFTWARE, OR HARDWARE PROBLEMS, CAN CAUSE LOSS OF DATA, DEFECTIVE FORMATTING, OR DATA LOADING. LOGICUBE WILL MAKE EFFORTS TO SOLVE OR REPAIR ANY PROBLEMS IDENTIFIED BY CUSTOMER, EITHER UNDER WARRANTY OR ON A TIME AND MATERIALS BASIS.

Warranty

DISCLAIMER

IMPORTANT - PLEASE READ THE TERMS OF THIS AGREEMENT CAREFULLY. BY INSTALLING OR USING LOGICUBE PRODUCTS, YOU AGREE TO BE BOUND BY THIS AGREEMENT.

IN NO EVENT WILL LOGICUBE BE LIABLE (WHETHER UNDER THIS AGREEMENT, RESULTING FROM THE PERFORMANCE OR USE OF LOGICUBE PRODUCTS, OR OTHERWISE) FOR ANY AMOUNTS REPRESENTING LOSS OF PROFITS, LOSS OR INACCURACY OF DATA, LOSS OR DELAYS OF BUSINESS, LOSS OF TIME, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS, SERVICES, OR TECHNOLOGY, PROPERTY DAMAGE, OR INDIRECT, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF A PURCHASER OR USER OF LOGICUBE PRODUCTS OR ANY THIRD PARTY. LOGICUBE’S AGGREGATE LIABILITY IN CONTRACT, TORT, OR OTHERWISE (WHETHER UNDER THIS AGREEMENT, RESULTING FROM THE PERFORMANCE OR USE OF LOGICUBE PRODUCTS, OR OTHERWISE) TO A PURCHASER OR USER OF LOGICUBE PRODUCTS SHALL BE LIMITED TO THE

AMOUNT PAID BY THE PURCHASER FOR THE LOGICUBE PRODUCT. THIS LIMITATION OF LIABILITY WILL BE EFFECTIVE EVEN IF LOGICUBE HAS BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH DAMAGES.

LOGICUBE MAKES EVERY EFFORT TO ENSURE PROPER OPERATION OF ITS PRODUCTS. HOWEVER, THE PURCHASER IS RESPONSIBLE FOR VERIFYING THAT THE OUTPUT OF A LOGICUBE PRODUCT MEETS THE PURCHASER’S REQUIREMENTS. THE PURCHASER FURTHER ACKNOWLEDGES THAT IMPROPER OPERATION OF LOGICUBE PRODUCTS CAN CAUSE LOSS OF DATA, DEFECTIVE FORMATTING, OR DEFECTIVE DATA LOADING. LOGICUBE WILL MAKE EFFORTS TO SOLVE OR REPAIR ANY PROBLEMS IDENTIFIED BY PURCHASER, EITHER UNDER THE WARRANTY SET FORTH BELOW OR ON A TIME AND MATERIALS BASIS.

LIMITED WARRANTY

FOR ONE YEAR FROM THE DATE OF SALE (THE “WARRANTY PERIOD”) LOGICUBE WARRANTS THAT THE PRODUCT (EXCLUDING CABLES, ADAPTERS, AND OTHER “CONSUMABLE” ITEMS) IS FREE FROM MANUFACTURING DEFECTS IN MATERIAL AND WORKMANSHIP. THIS LIMITED WARRANTY COVERS DEFECTS ENCOUNTERED IN THE NORMAL USE OF THE PRODUCT DURING THE WARRANTY PERIOD AND DOES NOT APPLY TO: PRODUCTS DAMAGED DUE TO PHYSICAL ABUSE, MISHANDLING, ACCIDENT, NEGLIGENCE, OR FAILURE TO FOLLOW ALL OPERATING INSTRUCTIONS CONTAINED IN THE OPERATING MANUAL; PRODUCTS WHICH ARE MODIFIED; PRODUCTS WHICH ARE USED IN ANY MANNER OTHER THAN THE MANNER FOR WHICH THEY WERE INTENDED, AS SET FORTH IN THE OPERATING MANUAL; PRODUCTS WHICH ARE DAMAGED OR DEFECTS CAUSED BY THE USE OF UNAUTHORIZED PARTS OR BY UNAUTHORIZED SERVICE; PRODUCTS DAMAGED DUE TO UNSUITABLE OPERATING OR PHYSICAL CONDITIONS DIFFERING FROM THOSE RECOMMENDED IN THE OPERATING MANUAL OR PRODUCT SPECIFICATIONS PROVIDED BY LOGICUBE; ANY PRODUCT WHICH HAS HAD ANY OF ITS SERIAL NUMBERS ALTERED OR REMOVED; OR ANY PRODUCT DAMAGED DUE TO IMPROPER PACKAGING OF THE WARRANTY RETURN TO LOGICUBE. AT LOGICUBE’S OPTION, ANY PRODUCT PROVEN TO BE DEFECTIVE WITHIN THE WARRANTY PERIOD WILL EITHER BE REPAIRED OR REPLACED USING NEW OR REFURBISHED COMPONENTS AT NO COST. THIS WARRANTY IS THE SOLE AND EXCLUSIVE REMEDY FOR DEFECTIVE PRODUCTS. IF A PRODUCT IS HAS BECOME OBSOLETE OR IS NO LONGER SUPPORTED BY LOGICUBE THE PRODUCT MAY BE REPLACED WITH AN EQUIVALENT OR SUCCESSOR PRODUCT AT LOGICUBE’S DISCRETION. THIS WARRANTY EXTENDS ONLY TO THE END PURCHASER OF LOGICUBE PRODUCTS. THIS WARRANTY DOES NOT APPLY TO, AND IS NOT FOR THE BENEFIT OF, RESELLERS OR DISTRIBUTORS OF LOGICUBE PRODUCTS. UNLESS OTHERWISE AGREED IN WRITING BY LOGICUBE, NO WARRANTY IS PROVIDED TO RESELLERS OR DISTRIBUTORS OF LOGICUBE PRODUCTS.

IN ORDER TO RECEIVE WARRANTY SERVICES CONTACT LOGICUBE’S TECHNICAL SUPPORT DEPARTMENT VIA PHONE OR E-MAIL. PRODUCTS RETURNED TO LOGICUBE FOR REPAIR UNDER WARRANTY MUST REFERENCE A LOGICUBE RETURN MATERIAL AUTHORIZATION NUMBER (“RMA”). ANY PRODUCT RECEIVED BY LOGICUBE WITHOUT AN RMA# WILL BE REFUSED AND RETURNED TO PURCHASER. THE PURCHASER MUST CONTACT LOGICUBE’S TECHNICAL SUPPORT DEPARTMENT VIA E-MAIL (SUPPORT@LOGICUBE.COM) OR VIA PHONE AT +1-818-700-8488 OPT. 3 TO OBTAIN A VALID RMA#. THE PURCHASER MAY BE REQUIRED TO PERFORM CERTAIN DIAGNOSTIC TESTS ON A PRODUCT PRIOR TO LOGICUBE ISSUING AN RMA#. THE PURCHASER

MUST PROVIDE THE PRODUCT MODEL, SERIAL NUMBER, PURCHASER NAME AND ADDRESS, EMAIL ADDRESS AND A

MUST PROVIDE THE PRODUCT MODEL, SERIAL NUMBER, PURCHASER NAME AND ADDRESS, EMAIL ADDRESS AND A DESCRIPTION OF THE PROBLEM WITH AS MUCH DETAIL AS POSSIBLE. REASONABLE TELEPHONE AND EMAIL SUPPORT ARE ALSO AVAILABLE FOR THE LIFE OF THE PRODUCT AS DEFINED BY LOGICUBE.

EXCEPT AS OTHERWISE SPECIFICALLY PROVIDED IN THIS AGREEMENT, LOGICUBE PRODUCTS ARE PROVIDED AS-IS AND AS-AVAILABLE, AND LOGICUBE DISCLAIMS ANY AND ALL OTHER WARRANTIES (WHETHER EXPRESS, IMPLIED, OR STATUTORY) INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT OF THIRD PARTY RIGHTS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION.

RoHS Certificate of Compliance

LOGICUBE PRODUCTS COMPLY WITH THE EUROPEAN UNION RESTRICTION OF THE USE OF CERTAIN HAZARDOUS SUBSTANCES IN ELECTRONIC EQUIPMENT, ROHS DIRECTIVE (2002/95/EC).

THE ROHS DIRECTIVE PROHIBITS THE SALE OF CERTAIN ELECTRONIC EQUIPMENT CONTAINING SOME HAZARDOUS SUBSTANCES SUCH AS MERCURY, LEAD, CADMIUM, HEXAVALENT CHROMIUM AND CERTAIN FLAME-RETARDANTS IN THE EUROPEAN UNION. THIS DIRECTIVE APPLIES TO ELECTRONIC PRODUCTS PLACED ON THE EU MARKET AFTER JULY 1, 2006.

Logicube Technical Support Contact Information

1. By website: www.logicube.com

2. By email: techsupport@logicube.com

3. By telephone: 1 - (818) 700 8488 ext. 3 between the hours of 7am 5pm PST, Monday through Friday, excluding U.S. legal holidays.

Table of Contents TALON ® ENHANCED USER’S MANU AL I LIMITATION OF LIABILITY AND WARRANTY

Table of Contents

TALON ® ENHANCED USER’S MANUAL

I

LIMITATION OF LIABILITY AND WARRANTY INFORMATION

I

LOGICUBE DISCLAIMER

I

WARRANTY

I

ROHS CERTIFICATE OF COMPLIANCE

III

LOGICUBE TECHNICAL SUPPORT CONTACT INFORMATION

III

TABLE OF

CONTENTS

IV

1. INTRODUCTION TO THE TALON ENHANCED

9

INTRODUCTION

9

Specifications

9

Features

10

Using this guide

11

System description

11

2. GETTING STARTED

14

DRIVE NAMES AND LOCATIONS

14

SETTING UP THE TALON ENHANCED

15

Opening the Logicube Talon Enhanced

15

Connecting a PATA Drive

15

PATA Destination Drive

15

PATA Source Drive

16

Connecting a SATA Drive

17

SATA Destination Drive

17

SATA Source Drive

18

Connecting other types of drives

18

THE USER INTERFACE

18

Touch Screen

19

Calibrating the Touch Screen

Stealth Mode

19

20

Turning On Stealth Mode

20

Turning Off Stealth Mode

20

Date & Time

20

Buttons

21

Alphanumeric Keypad

21

Indicator Lights

21

E01 Resume (Incomplete Sessions)

21

3. DRIVE CAPTURE MODES AND SETTINGS

23

MAIN SCREEN

23

Misc 23 Drives 24 Settings 24 About 24 M ODES OF O PERATION 24 Capture

Misc

23

Drives

24

Settings

24

About

24

MODES OF OPERATION

24

Capture

24

DD Image

24

E01 Image

25

Drive Defect Scan

25

Wipe Destination

25

Calculate HASH

25

USB / eSATA

25

Keyword Search

25

CAPTURING A DRIVE

25

Mirror Capture Step-by-Step

26

Special Settings for Mirror Capture Mode

27

Verify

27

DD Image Capture Step-by-Step

28

Special Settings for DD Image Mode

30

Verify

30

File Size

30

Loading DD Image files into a Forensic Investigative Tool

31

E01 Image Step-by-Step

31

Special Settings for E01 Image Mode

Printing a report

Printing with the Brother (thermal) Printer

33

34

34

OPTIONAL PREFERENCE SETTINGS

35

Mode

35

Verify

36

Speed

36

On Error

37

Word List

38

Modify List

38

CAPTURING DATA FROM HPA AND DCO CONFIGURATIONS

38

4. OTHER MODES

40

INTRODUCTION

40

SETTINGS MENU OPTIONS

40

Drive Defect Scan

40

Drive Defect Scan Step-by-Step

Wipe Destination

Wipe Destination Step-by-Step

HASH Scan

Hash Scan Step-by-Step

40

41

41

43

43

MISC MENU SETTINGS

44

Backlight

44

Authenticate Trail

44

Procedure

Manage Settings

44

44

Contrast

45

Save Settings

45

Factory Settings

45

Manage Destination

45

Print Options

46

Eject Page

46

Print Report

47

Auto Print (After Capture)

47

Debug

47

Beeper

47

Audio Notice

48

Security

48

High Security

48

Maximum Security

49

Type

49

Get

50

Disabled

50

SCSI/SAS Adapter

51

Performing SAS and SCSI Adapter Updates

51

Retries

53

Install Options

54

File System

54

Languages

54

Time Zone

55

E01 Resume

55

Daylight Saving

55

6. USB AND ESATA PORTS

56

INTRODUCTION

56

Minimum requirements

56

USB Connection to Windows (for Drive Management)

57

eSATA Connection to Windows (for Drive Management)

57

Removing USB devices

58

Cloning through the USB port

59

How to set up and use the USB/FireWire cloning software:

59

Selectable Capture Modes & Options

60

Cloning Apple computer drives using FireWire and the Cloning Software:

63

Additional Notes

63

7. KEYWORD SEARCHING

65

INTRODUCTION

65

SEARCHING FOR KEYWORDS

65

Searching During Capture

65

Searching with Keyword Search Mode

66

Procedure

66

KEYWORD LISTS

67

MODIFY LIST SETTINGS

68

Modify Lists

68

8. OPTIONAL PERIPHERALS

70

INTRODUCTION

70

LOGICUBE NETCONNECT

70

Features

70

Using NETConnect Kit with Talon Enhanced

71

LOGICUBE CLONE CARD PRO

71

Before Capturing

72

Using the Logicube CloneCard Pro to Capture a Drive

72

Improving Speed of Transfer

73

LOGICUBE SCSI ADAPTER

73

What’s Included 74 What’s Needed 74 Installation Setup 74 How to use the SCSI Adapter

What’s

Included

74

What’s

Needed

74

Installation

Setup

74

How to use the SCSI Adapter

74

Duplicating using Talon Enhanced

74

 

Optional USB cloning with the SCSI Adapter

75

LOGICUBE SAS ADAPTER

76

 

What’s

Included

76

What’s

Needed

77

Installation

Setup

77

How to use

the SAS Adapter

77

Duplicating using Talon Enhanced

77

Optional USB cloning with the SAS Adapter

78

9. SYSTEM CF CARD

79

INTRODUCTION

79

CONNECTING THE CF CARD TO WINDOWS VIA USB OR ESATA

79

 

Connecting Through USB or eSATA Mode

79

Removing USB devices

80

REPLACING THE COMPACTFLASH CARD

80

 

CF Card Removal and Installation

80

10.

SOFTWARE AND FIRMWARE LOADING INSTRUCTIONS

82

INTRODUCTION

 

82

 

Loading New Software and Firmware

82

11.

REFERENCE

84

FURTHER NOTES ON MODES AVAILABLE FOR THE TALON ENHANCED

84

 

Capture Mirror Capture or DD image

84

Drive Defect Scan

84

Options

84

Wipe Destination

84

Options

84

Erase process with Security

85

Erase process using non Security Erase drives

85

ADDITIONAL COMMANDS

85

Verify

85

HASH

85

HASH + V

85

None

86

On Error

86

Printer

87

ANATOMY OF A DRIVE CAPTURE

87

Power-up and Initialization

87

Log file name entry

88

Calibration of Transfer Speed

88

Capture Integrity Check

88

Verification of Destination Drive being erased

89

Wipe Destination

89

Erase Process

90

Write a unique signature to the destination

90

Capture Source Drive Data To Destination Drive

90

Check for Erasure of Unused Portion of Destination Drive

90

Print Final Capture Report

90

FINAL CAPTURE REPORT (HARDCOPY PRINTOUT)

91

Information Format

91

Example of Hardcopy Printout

94

12. FREQUENTLY ASKED TALON ENHANCED QUESTIONS AND ANSWERS

95

13. INDEX

98

TECHNICAL SUPPORT INFORMATION

100

1. Introduction to the Talon Enhanced Introduction Thank you for purchasing the Logicube Talon Enhanced.

1. Introduction to the Talon Enhanced

Introduction

1. Introduction to the Talon Enhanced Introduction Thank you for purchasing the Logicube Talon Enhanced. With

Thank you for purchasing the Logicube Talon Enhanced. With proper use, this unit will provide you with accurate HDD capturing for years to come.

The Logicube Talon Enhanced is a drive-to-drive duplication device. Typically, a suspect hard drive and a destination drive will be connected to the unit. Within minutes of starting the process, the contents of the suspect drive are accurately copied over to the target drive for further examination. Handling of the suspect drive is held to a minimum with zero alteration of its contents.

Designed with the Forensics investigator in mind, the system ensures that proper evidence capture procedures are maintained, while speeding up the process significantly.

Specifications

The Talon Enhanced is the next generation of the Forensic Talon ® , the most widely used forensic imaging solution on the market today. The compact and rugged Talon Enhanced provides unbeatable forensic imaging speed along with industry-leading reliability, quality, and durability. The easy to use Talon Enhanced is engineered specifically for forensic investigations in the field or in the lab. The Talon Enhanced is available as a standalone unit that includes a carrying case or purchase the Talon Enhanced Field ToughKit that includes a rugged hard-sided carrying case and accessories.

INTRODUCTION

INTRODUCTION
INTRODUCTION

Features

Power Requirements

Power Consumption (w/drives)

Operating Temperature

Relative Humidity

Net Weight

Dimensions

90 to 230V AC 47/63 Hz

<96 watts

10°-35°C (50°-95°F)

10%-80%

1.5 lbs. (.680 kg)

6” W x 2.7” H x 9” D

Agency Approvals

(15.24cm X 6.8cm X 22.86cm)

RoHS compliant

Ruggedized, scratch-resistant exterior and impact resistant display.Agency Approvals (15.24cm X 6.8cm X 22.86cm) RoHS compliant Compact, lightweight, and portable. With a footprint

Compact, lightweight, and portable. With a footprint of only 9” x 6” x 2.7” it fits easily into a backpack for easy transporting, or 9” x 6” x 2.7” it fits easily into a backpack for easy transporting, or use the sturdy carrying case (included with Talon E) that includes room for storing accessories.

Capture to multiple image formats for greater flexibility and compatibility with forensic analysis software. Formats include mirror copy, DD image, E01 file format (featuring hardware-based compression to maintain line speed performance).with Talon E) that includes room for storing accessories. Capture from 1 suspect to 1 or

Capture from 1 suspect to 1 or 2 evidence drives at speeds over 7GB/min. Supports drive spanning.compression to maintain line speed performance). Uses the highest level of authentication. The Talon-E

Uses the highest level of authentication. The Talon-E computes MD5 and SHA-256 hash concurrently in real time at full capturing speed.drives at speeds over 7GB/min. Supports drive spanning. Provides 100% write-protection (source drive) – Use the

Provides 100% write-protection (source drive) – Use the Talon-E as an external write-blocker for easy drive preview/image transfer, eliminating the Use the Talon-E as an external write-blocker for easy drive preview/image transfer, eliminating the need for additional write-block hardware.

Industry-proven, easy to use, password-based security system (based on the ATA security specification T13) protects evidence drives from unauthorized access.eliminating the need for additional write-block hardware. Optional encryption feature (available in a future update)

Optional encryption feature (available in a future update) provides maximum security when transporting sensitive data. Decryption is facilitated using the write protected eSATA port.T13) protects evidence drives from unauthorized access. Support for IDE/SATA drives is built-in to the Talon

Support for IDE/SATA drives is built-in to the Talon Enhanced. Support for SCSI, SAS, eSATA, and microSATA drives is available with optional adapters.sensitive data. Decryption is facilitated using the write protected eSATA port. Talon Enhanced User’s Manual 10

INTRODUCTION
INTRODUCTION

INTRODUCTION

These adapters also provide an optional high-speed (up to 2GB/min) USB device capture feature.

Built-in eSATA port provides faster transfer of data to a PC post-capture.high-speed (up to 2GB/min) USB device capture feature. Keyword search capability. Search for hundreds of words

Keyword search capability. Search for hundreds of words concurrently on a hard drive either during the capture process or on a single drive.port provides faster transfer of data to a PC post-capture. Use with optional NETConnect ® networking

Use with optional NETConnect ® networking module (kit version) for fast transfer of forensic data to network locations. ® networking module (kit version) for fast transfer of forensic data to network locations.

Features include audit trail report (time-stamped), wipe mode (including DoD level wipe and Secure Erase), USB port, touch screen display, embedded, back-lit keypad (that can be turned off when stealth is required), and support for imaging DCO/HPA disk regionsfor fast transfer of forensic data to network locations. Using this guide This user guide is

Using this guide

This user guide is made up of 11 sections:

IntroductionUsing this guide This user guide is made up of 11 sections: Getting Started (Fast Start)

Getting Started (Fast Start)This user guide is made up of 11 sections: Introduction Drive Capture Modes and Settings Other

Drive Capture Modes and Settingsup of 11 sections: Introduction Getting Started (Fast Start) Other Modes Capturing RAID Configurations USB and

Other ModesStarted (Fast Start) Drive Capture Modes and Settings Capturing RAID Configurations USB and eSATA Connection

Capturing RAID Configurations(Fast Start) Drive Capture Modes and Settings Other Modes USB and eSATA Connection Keyword Searching Optional

USB and eSATA ConnectionModes and Settings Other Modes Capturing RAID Configurations Keyword Searching Optional Peripherals Internal Flash Memory

Keyword SearchingModes Capturing RAID Configurations USB and eSATA Connection Optional Peripherals Internal Flash Memory Software and

Optional PeripheralsConfigurations USB and eSATA Connection Keyword Searching Internal Flash Memory Software and Firmware Loading

Internal Flash Memoryand eSATA Connection Keyword Searching Optional Peripherals Software and Firmware Loading Instructions Reference /

Software and Firmware Loading InstructionsKeyword Searching Optional Peripherals Internal Flash Memory Reference / FAQ’s / Index Please read Chapter 1:

Reference / FAQ’s / IndexFlash Memory Software and Firmware Loading Instructions Please read Chapter 1: Introduction and Chapter 2:

Please read Chapter 1: Introduction and Chapter 2: Getting Started before attempting a drive capture. It is recommended that you practice with a test or scratch drive to fully appreciate the unit’s features.

System description

The Talon Enhanced Standalone system is packed in a molded soft carrying case. Inside, you will find the following components:

Power supplycase. Inside, you will find the following components: A set of 5” & 9” PATA (IDE)

A set of 5” & 9” PATA (IDE) data and power cables PATA (IDE) data and power cables

INTRODUCTION

INTRODUCTION
INTRODUCTION

One 5” (inside the Talon Enhanced) and two 9” SATA data/power cable 5” (inside the Talon Enhanced) and two 9” SATA data/power cable

eSATA to eSATA cablethe Talon Enhanced) and two 9” SATA data/power cable USB mini cable CompactFlash card CD with

USB mini cableand two 9” SATA data/power cable eSATA to eSATA cable CompactFlash card CD with Talon Enhanced

CompactFlash cardSATA data/power cable eSATA to eSATA cable USB mini cable CD with Talon Enhanced software and

CD with Talon Enhanced software and a user’s manual a user’s manual

NOTE: It is recommended that you always use the carrying case to store and carry the unit.

The Talon Enhanced Kit is packed in a rugged hard-sided carrying case. Inside, you will find the following components:

Power supply

Power supply

A set of 5” & 9” PATA (IDE) data and power cables

A set of 5” & 9” PATA (IDE) data and power cables

One 5” (inside the Talon Enhanced) and two 9” SATA data/power cable

One 5” (inside the Talon Enhanced) and two 9” SATA data/power cable

eSATA to eSATA cable

eSATA to eSATA cable

USB mini cable

USB mini cable

CompactFlash card

CompactFlash card

18” extended length IDE and SATA data & power cables

18”

extended length IDE and SATA data & power cables

2.5” IDE adapter

2.5” IDE adapter

1.8” IDE adapter

1.8” IDE adapter

1.8” ZIF IDE adapter

1.8” ZIF IDE adapter

microSATA cable for microSATA interface drives

microSATA cable for microSATA interface drives

eSATA cable for eSATA interface drives

eSATA cable for eSATA interface drives

SAS adapter supports capture from SAS drives

SAS adapter supports capture from SAS drives

High-speed USB drive acquisition software key code option. Enable the USB port on the SAS

High-speed USB drive acquisition software key code option. Enable the USB port on the SAS adapter to capture USB enclosures and thumb/flash drives

CD with Talon Enhanced software and a user’s manual

CD

with Talon Enhanced software and a user’s manual

NOTE: It is recommended that you always use the carrying case to store and carry the unit.

Caution: Incorrectly connecting the suspect drive to the system can result in data on the
Caution: Incorrectly connecting the suspect drive to the system can result in
data on the suspect drive to be lost forever. Never place a suspect drive
inside the Talon Enhanced as data may be overwritten.
Caution: Never place a suspect drive into any other Logicube products (e.g.
SuperSonix ® ) that are used for Operating System cloning.
INTRODUCTION
INTRODUCTION

INTRODUCTION

INTRODUCTION Figure 1, Talon Enhanced Talon Enhanced User’s Manual 13
INTRODUCTION Figure 1, Talon Enhanced Talon Enhanced User’s Manual 13

Figure 1, Talon Enhanced

2. Getting Started Drive Names and Locations The following naming conventions will be used throughout

2. Getting Started

Drive Names and Locations

The following naming conventions will be used throughout this manual:

The Hard disk drive attached inside the Talon Enhanced is always referred to as the Destination 1 or D1 (or Evidence) drive. The drive attached on the outside above the touch screen display is always referred to as the Source (or Suspect) drive. The drive attached on the outside to the right side is always referred to as the Destination 2 or D2. PATA (Parallel-ATA) will be used instead of the older term, IDE or E-IDE.

NOTE: Please refer to Fig. 2 as you read the information below.

: Please refer to Fig. 2 as you read the information below. Figure 2, Drive locations

Figure 2, Drive locations

IMPORTANT NOTE!

DESTINATION DRIVES Before connecting, disconnecting, or swapping Destination drives (D1 or D2), the Talon Enhanced must be turned off first.

INTRODUCTION
INTRODUCTION

INTRODUCTION

Setting Up the Talon Enhanced

The Logicube Talon Enhanced is able to detect whether PATA (or Parallel-ATA, commonly known as IDE) or SATA (Serial-ATA) drives are attached to any of the Source or Destination positions. The unit is capable of capturing to SATA drives from PATA drives and vice versa (as well as PATA to PATA and SATA to SATA).

NOTE1: An optional IDE Cloning Adapter (F-ADP-IDE) is required to capture to IDE/PATA destination drives. The adapter is not necessary to capture from IDE/PATA source drives. Contact Logicube Sales for information regarding this adapter.

NOTE2: Never attach both a PATA and SATA drive to a single Source or Destination position. The unit can only handle one drive on each position. It is perfectly fine to attach a PATA drive to one position (e.g. Source) and a SATA drive to the other position (e.g. Destination).

Before applying power perform the steps listed below:

Opening the Logicube Talon Enhanced

The first Destination drive is attached to the inside of the Logicube Talon Enhanced. To open the unit, press the two latches at the base of the unit and lift the top lid. You will notice two connections:

a. A 4-pin power connector.

b. A SATA data connector.

NOTE: The Talon Enhanced can have two Destination drives. The Destination positions will be called D1 for Destination 1 and D2 for Destination 2. D1 is located inside the Talon Enhanced while D2 is located on the outside to the right of the Talon Enhanced.

Connecting a PATA Drive

PATA Destination Drive

IMPORTANT NOTE!

DESTINATION DRIVES Before connecting, disconnecting, or swapping Destination drives (D1 or D2), the Talon Enhanced must be turned off first.

The following steps describe how to connect a PATA drive to the Destination position:

NOTE: The SATA cables in the Destination position must be removed from the Talon

INTRODUCTION

INTRODUCTION
INTRODUCTION

Enhanced when a PATA drive is connected to the Destination position.

1. Open the Logicube Talon Enhanced by following the steps previously mentioned.

2. Attach the optional SATA to PATA (IDE) adapter (F-ADP-IDE) to the SATA cable inside the Talon Enhanced.

3. Connect the 5” power cable to the 4-pin power molex on the PATA adapter. Connect the PATA drive to the SATA to PATA adapter along with the other end of the power cable.

PATA Source Drive

The following steps describe how to connect a PATA drive to the Source position:

NOTE: The SATA cables in the Source position must be removed from the Talon Enhanced when a PATA drive is connected to the Source position.

1. Connect the 9” power cable to the 4-pin black molex outside the Talon Enhanced, next to the 40-pin data connector.

2. Connect the 9” PATA (IDE) data cable to the 40-pin data connector outside the Talon Enhanced. When connecting the 9PATA data cable to the 40-pin data connector inside the Talon, make sure you connect the side marked “DUPLICATOR SIDE”.

3. Connect the PATA drive to the other end of the power and data cables. When connecting the PATA data cable to the drive, make sure you connect the side marked “HDD SIDE”.

Note: In order for a capture to work, most PATA drives must be configured as a master drive. If you are going to capture a drive that is used as a slave drive, move the jumper to the master position. Before moving a jumper note its position so you can return the suspect drive to its original state when the capture operation has been completed.

There are some drives that do not follow the requirement stated above. Those drives are:

Western Digital Most Western Digital drives require that the jumpers be removed for a capture to work. The exception to this requirement is for the Western Digital “Xpert” series hard drives (an older manufactured

is for the Western Digital “Xpert” series hard drives (an older manufactured Talon Enhanced User’s Manual
INTRODUCTION
INTRODUCTION

INTRODUCTION

INTRODUCTION version) where the jumper is set to the master position. Quantum - The jumper must

version) where the jumper is set to the master position.

Quantum - The jumper must be placed in the “DS” position. The “DS” position is adjacent to the 40-pin connector. See figure 3.

position is adjacent to the 40-pin connector. See figure 3. Connecting a SATA Drive Figure 3,

Connecting a SATA Drive

Figure 3, DS Position

NOTE: Internal drives are always referred to as the Destination 1 (or D1 or Evidence) drive. The outside drives to the right side of the Talon Enhanced are always referred to as the Destination 2 (or D2 or Evidence) drive. The outside drives towards the top of the Talon Enhanced are always referred to as the Source (or Suspect) drives.

SATA Destination Drive

IMPORTANT NOTE!

DESTINATION DRIVES

Before connecting, disconnecting, or swapping Destination drives (D1 or D2), the

Talon Enhanced must be turned off first.

The following steps describe how to connect a SATA drive to the D1 Destination position:

1. Open the Logicube Talon Enhanced by following the steps previously mentioned.

2. Connect the 5” SATA cable to the 4-pin black molex and to the SATA port inside the Talon Enhanced.

3. Connect the SATA drive to the other end of the SATA cable.

4. Close the Talon Enhanced lid.

NOTE: A SATA drive can be connected on the D2 Destination position. The D2 Destination position is used in some modes

INTRODUCTION

INTRODUCTION
INTRODUCTION

(e.g. S1=>D1&D2). If a single Destination drive is being used, it must be attached to the D1 Destination position.

SATA Source Drive

The following steps describe how to connect a SATA drive to the Source position:

NOTE: The PATA cables in the Source position must be removed from the Talon Enhanced when a SATA drive is connected to the Source position.

1. Connect the 9” SATA cable to the 4-pin black molex and SATA port outside the Talon Enhanced.

2. Connect the SATA drive to the other end of the SATA cable.

Connecting other types of drives

Logicube sells specialized adapters that allow other types of drives to be connected to the Logicube Talon Enhanced. Such drives include 2.5” PATA (IDE) drives, 1.8” PATA (IDE) or SATA drives and USB drives. SCSI and SAS drive adapters are also available. The SAS adapter is included in the Talon Enhanced Field ToughKit.

If you are unsure about the type of drive that you have, please contact Logicube Technical Support for assistance.

The user interface

The user interface (UI) has been re-designed with the professional in mind. It is fast, responsive, and to the point; which means it requires very few keystrokes to achieve a desired action.

NOTE: Please refer to Fig. 4 as you read the information below.

INTRODUCTION
INTRODUCTION

INTRODUCTION

INTRODUCTION Figure 4, Buttons and Interface Touch Screen The Talon Enhanced features an LCD Touch Screen

Figure 4, Buttons and Interface

Touch Screen

The Talon Enhanced features an LCD Touch Screen that allows the user to quickly input commands. This screen replaces many of the buttons that were present on older Logicube Forensic Talon models. The screen is bright and easy to read. It also has an audible beep every time the touch screen is pressed. This lets the user know that the touch screen is active and can be turned off, if desired.

Calibrating the Touch Screen

There may be times when the user wants to recalibrate the Touch Screen. The procedure for this is very simple as outlined in the procedure below:

1. Turn the Talon Enhanced off using the power switch located on the right side of the device.

2. Press and hold the SET button, then turn the Talon Enhanced on using the power switch.

3. Hold the SET button until the Talon Enhanced boots to a screen that reads “Touchpad Calibration. Touch the center of square (1/5)”.

NOTE: You can also calibrate the touch screen with a stylus or the dull plastic tip of a writing instrument. Do not use any writing instrument that will leave marks on the unit.

INTRODUCTION

INTRODUCTION
INTRODUCTION

4. Look for a square at the top of the screen. Touch the square when it is located. The square should move to a different part of the screen.

5. Repeat the previous step four more times. The unit will count each time the square is pressed correctly. It will count (1/5), (2/5), etc.

6. Once the screen has been calibrated, it will show the Main Menu Screen.

Stealth Mode

The Talon Enhanced has a Stealth Mode feature. Stealth mode will hide what is currently being processed or captured by doing the following:

Display a blank screenbeing processed or captured by doing the following: Turn off the backlight on the keypad Turning

Turn off the backlight on the keypador captured by doing the following: Display a blank screen Turning On Stealth Mode To turn

Turning On Stealth Mode

To turn Stealth Mode on, press and hold the SET button for 5 seconds. The screen should go blank.

Turning Off Stealth Mode

To turn Stealth mode off, press and release the BACK button.

Date & Time

The time can be adjusted by setting the correct Time Zone along with the Daylight Savings setting. Please refer to Time Zone and Daylight Savings in the Misc. Menu section of Chapter 4: Other Modes for more information on these two settings.

The real time clock is displayed on the Main Menu screen and will add a time stamp to the log files created by the Talon Enhanced in two locations.

The top of the report will contain the date and time the capture process was started. The end time of the capture process will be shown on the bottom of the report and is only available when using DD Image or E01 Image Captures.

INTRODUCTION
INTRODUCTION

INTRODUCTION

Buttons

The Talon Enhanced features three buttons that are located below the touch screen display.

START/STOP Button – Pressing this button twice from the Main Menu to begin a DD Image Capture Pressing this button twice from the Main Menu to begin a DD Image Capture using the currently saved settings. Pressing and holding down the START/STOP button in the middle of a capture will abort the process. Pressing this button once presents a preview screen where you can decide whether to press it again to begin the selected process, or back out to reconfigure.

BACK Button - This button is used to go back to the previous screen or to cancel - This button is used to go back to the previous screen or to cancel out of a given operation.

SET Button – Hold this button while powering up the Talon Enhanced for screen calibration or to Hold this button while powering up the Talon Enhanced for screen calibration or to finalize log file names. The Set button is also used extensively in some menu settings like Keyword Search and Calculate Hash.

Alphanumeric Keypad

The alphanumeric keypad is used for labeling capture sessions, entering passwords and other functions.

Indicator Lights

The indicator lights (LED) are located to the left of the touch screen. The three indicator lights give some information about the Talon Enhanced and its current status or operation:

Top LED This is the power indicator. This LED is green and remains on while the Logicube Talon Enhanced is receiving power.

Middle LED This is the status indicator for Destination 1 (D1). This LED blinks green during capture operations and any operation that accesses the drive in the D1 position. This LED will turn solid red if there is an error involving the drive in the D1 position.

Bottom LED This is the status indicator for Destination 2 (D2). This LED blinks green during capture operations and any operation that accesses the drive in the D2 position. This LED will turn solid red if there is an error involving the drive in the D2 position.

E01 Resume (Incomplete Sessions)

When an E01 capture is being performed and the capture process is interrupted (for example, the AC adapter was disconnected or the power switch accidentally turned off), the Talon Enhanced has

INTRODUCTION

INTRODUCTION
INTRODUCTION

the ability to resume the unfinished capture. When this occurs, the Talon Enhanced will boot to a special screen that states:

Found Incomplete Session

This screen will contain the case name that was used before the session was interrupted along with the capture mode and status. On this screen, there are three options:

Don’t ask – Selecting this option will place a check mark on the box. This will instruct the Talon Enhanced to no longer show you the resume screen for this capture. Unless this option is checked, the ‘Found Incomplete Session’ screen will come up every time the Talon Enhanced is turned on.

Res Resume button. Selecting this will resume the E01 capture that was interrupted.

Skip This button will skip the resume function allowing you to either start from the beginning or start a different capture.

NOTE: There is a way to go back and resume previously skipped sessions even after ‘Don’t ask’ was checked. For more information on viewing previously skipped sections, see the E01 Resume section in Chapter 4: Other Modes.

NOTE: When resuming an incomplete session, the same Source and Destination drive(s) must be attached to the Talon Enhanced. An error will appear if the serial numbers of the Source or Destination drive(s) do not match.

3. Drive Capture Modes and Settings Main Screen The main menu screen appears when the

3. Drive Capture Modes and Settings

Main Screen

The main menu screen appears when the Logicube Talon Enhanced is first powered up. It displays the Title Screen and four menu options: Misc., Drives, Settings, and About.

and four menu options: Misc., Drives, Settings, and About . Misc Tap the Misc . icon

Misc

Tap the Misc. icon to access the following functions:

Backlight (on or off)Tap the Misc . icon to access the following functions: Authenticate Trail Manage Settings Manage Destination

Authenticate Trailto access the following functions: Backlight (on or off) Manage Settings Manage Destination menu Print Options

Manage Settingsfunctions: Backlight (on or off) Authenticate Trail Manage Destination menu Print Options menu Debug (on or

Manage Destination menuBacklight (on or off) Authenticate Trail Manage Settings Print Options menu Debug (on or off) Beeper

Print Options menuAuthenticate Trail Manage Settings Manage Destination menu Debug (on or off) Beeper (on or off) Audio

Debug (on or off)Manage Settings Manage Destination menu Print Options menu Beeper (on or off) Audio Notice (on or

Beeper (on or off)Manage Destination menu Print Options menu Debug (on or off) Audio Notice (on or off) Security

Audio Notice (on or off)menu Print Options menu Debug (on or off) Beeper (on or off) Security SCSI/SAS Adapter Retries

Security(on or off) Beeper (on or off) Audio Notice (on or off) SCSI/SAS Adapter Retries (adjustable)

SCSI/SAS Adapteror off) Beeper (on or off) Audio Notice (on or off) Security Retries (adjustable) Install Options

Retries (adjustable)or off) Audio Notice (on or off) Security SCSI/SAS Adapter Install Options File System Languages Time

Install Options(on or off) Security SCSI/SAS Adapter Retries (adjustable) File System Languages Time Zone E01 Resume Daylight

File SystemSCSI/SAS Adapter Retries (adjustable) Install Options Languages Time Zone E01 Resume Daylight Saving Audio Test

LanguagesAdapter Retries (adjustable) Install Options File System Time Zone E01 Resume Daylight Saving Audio Test These

Time ZoneRetries (adjustable) Install Options File System Languages E01 Resume Daylight Saving Audio Test These options are

E01 Resume(adjustable) Install Options File System Languages Time Zone Daylight Saving Audio Test These options are explained

Daylight SavingInstall Options File System Languages Time Zone E01 Resume Audio Test These options are explained in

Audio TestFile System Languages Time Zone E01 Resume Daylight Saving These options are explained in more detail

These options are explained in more detail under Chapter 4:

Other Modes.

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

DrivesCAPTURE MODES AND SETTINGS Tap the Drives icon. Another screen will come up asking you to

Tap the Drives icon. Another screen will come up asking you to select S1, D1, or D2. Depending on what is connected to the unit, make your choice by tapping the desired drive’s icon. The unit will then access the drive selected and report back the drive’s model number, capacity, geometry and other information.

Settingsmodel number, capacity, geometry and other information. Tap the Settings icon to access the settings screen.

Tap the Settings icon to access the settings screen.

NOTE: All of the features available in the Settings menu are explained starting on the next section (Modes of Operation).

Aboutexplained starting on the next section (Modes of Operation). Tap the About icon to display the

Tap the About icon to display the serial number of your unit along with the software and firmware versions that are loaded. In addition, the About screen provides contact information for Logicube Technical Support.

Modes of Operation

The Logicube Talon Enhanced supports three different operations to capture data from a suspect drive: Mirror Capture, DD Image Capture, and E01 Image Capture. These modes are found in the Settings Menu along with several other operations. The different modes of operation are briefly described below.

NOTE: Each time the Logicube Talon Enhanced is powered off, the cloning mode and preference settings are returned to their default settings.

The following Modes of Operation are found in the Mode Setting Menu:

CaptureModes of Operation are found in the Mode Setting Menu: This process captures all data from

This process captures all data from the source drive to the destination drive. This mode is also called a “Native Capture” or “Mirror Capturesince data is captured bit-by-bit to one or two destination drives.

DD Imageis captured bit-by-bit to one or two destination drives. This mode creates a subdirectory per drive

This mode creates a subdirectory per drive captured. The files created are in DD file format. The file size choices are 650 MB, 2 GB, 4 GB, or DISK. These files are directly accessible by popular Forensic analysis software tools, such as, FTK and iLook.

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

E01 Image CAPTURE MODES AND SETTINGS This mode captures drives directly into the E01 format. The evidence or

This mode captures drives directly into the E01 format. The evidence or destination drive can then be easily opened to the analysis software in a ready-to-analyze state. This eliminates the time consuming conversion step that users typically must perform today.

Drive Defect Scanconversion step that users typically must perform today. This operation performs a surface scan of the

This operation performs a surface scan of the drive media using the drive controller to verify the media, and detect bad or “weak” sectors. This mode is described in Chapter 4. Other Modes.

Wipe Destinationsectors. This mode is described in Chapter 4. Other Modes . This is used to erase

This is used to erase all data on the destination drive prior to a Mirror Capture. This mode is described in Chapter 4: Other Modes.

Calculate HASHCapture. This mode is described in Chapter 4: Other Modes . This is used to compute

This is used to compute SHA-256 and MD5 values of the source, or destination drives. This mode is described in Chapter 4:

Other Modes.

This mode is used to connect the Talon Enhanced to a PC through the USB or eSATA port. This mode is described in Chapter 6: USB and eSATA Connection . Chapter 6: USB and eSATA Connection.

USB / eSATA

Keyword Searchin Chapter 6: USB and eSATA Connection . USB / eSATA Used to perform a binary

Used to perform a binary or hexadecimal keyword search on a given drive. This mode is described in Chapter 7: Keyword Search.

Capturing a Drive

Connect the drives as previously described.

For Mirror Capture The Destination drive must be at least the same or larger in capacity than the Source drive (Suspect drive).

For DD Image and E01 Image The destination drive must be larger in capacity than the Source drive (Suspect drive).

NOTE: Logicube has split the Talon Enhanced firmware into multiple files in order to optimize performance. This requires a short 45-60 second reconfiguration process that will occur when the user is switching between E01 mode to or from all other capture modes.

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

Mirror Capture Step-by-Step

CAPTURE MODES AND SETTINGS Mirror Capture – Step-by-Step 1. Make sure that the Source and Destination

1. Make sure that the Source and Destination drives are attached to the device and the Talon Enhanced is turned on.

2. From the Main Screen, tap the Settings icon to enter the Settings menu.

3. Tap the Capture icon.

4. Tap the Mode icon and choose the configuration that is best suited for your capture session.

NOTE: See the Optional Preference Settings section of this chapter for more information on the Mode setting.

5. Scroll through the other optional preferences Verify, On Error, Speed, Word List, and Modify List. Modify them as needed by tapping the different settings for each.

NOTE: See the Optional Preference Settings section of this chapter for more information on these preference settings.

6. Press the START/STOP button twice.

NOTE: If you have used E01 mode in a capture session immediately prior to this capture session the following message will appear:

“Need to reconfigure, continue?”

Tap the YES icon to continue. This process takes 45-60 seconds. When the Talon Enhanced finishes reconfiguring, a message will appear:

“Reconfiguration COMPLETED. Press any key to continue”.

Press any of the three buttons below the touch screen to continue.

7. The following message will appear: “Continuing will overwrite a portion of your destination drive(s). Are you sure?” Tap the YES icon. The Talon Enhanced will apply power to the drives then access the System CF card. The following message will appear: “Enter Log file name and press SET”

8. Use the alphanumeric keypad to enter a Log file name of 8 characters or less. Press the SET button when finished.

9. If the Destination drive has not been erased with the Wipe Destination function, the unit will ask if you wish to erase the Destination drive. Choose YES or NO. If YES is chosen, the unit will completely wipe the destination drive before it begins to capture data. This process adds significant time to the duration of the capture session.

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

NOTE: The log file will state whether or not the Destination drive has been properly erased.

10. The unit will capture bit-by-bit every readable sector from the Suspect drive to the Destination drive, whether or not it contains data.

11. After all sectors have been captured, if the destination drive was not erased, the unit will ask if you wish to erase the remainder of the Destination drive. Choose Yes or No. If Yes is chosen, the unit will completely wipe the remainder of the destination drive.

NOTE: The log file will state whether or not the Destination drive has been properly erased.

12. If Auto Print was set to “Yes” in the Misc. menu, the user will be prompted to connect the printer and make sure that it is powered up and online. Press SET to print or BACK to skip printing.

NOTE: Please refer to “Printing a Reportlater in this chapter for more printing options.

13. A copy of the final capture report is written to the System CF card. It is titled <Log file name>.LOG. The report can be accessed and printed from Windows, if the Talon Enhanced unit is connected to a PC via USB or eSATA.

NOTE: Please refer to Chapter 6: USB and eSATA Ports for more information.

14. The capture ends with a “Capture Successful” message. It also displays the SHA-256 and MD5 Hash values for the Source and Destination drives together when the Verify setting is set to HASH + V.

Special Settings for Mirror Capture Mode

The settings below are unique to the DD Image Capture mode:

The settings below are unique to the DD Image Capture mode: Verify For Mirror Capture Mode,

Verify

For Mirror Capture Mode, the Verify Setting has some optional settings which are not available in any other mode. The settings available in Mirror Capture mode are:

NONE – No verification. This setting is only recommended for non-Forensic cloning operations. No verification. This setting is only recommended for non-Forensic cloning operations.

NOTE: Without verification, bad or weak sectors on the Destination drive will not be detected. This could cause the copy to be invalid.

HASH – This setting uses special hardware to compute 256-bit SHA-256 This setting uses special hardware to compute 256-bit SHA-256

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS and 128-bit MD5 values at an extremely fast and accurate rate. HASH

and 128-bit MD5 values at an extremely fast and accurate rate.

HASH + V This setting behaves like HASH, except that it also reads back captured data and compares it to the Source drive in 50MB chunks. This setting is recommended to ensure the accuracy of the hash values.

NOTE: The “+ V” settings will double the cloning time of a capture session.

DD Image Capture Step-by-Step

of a capture session. DD Image Capture – Step-by-Step 1. Make sure that the Source and

1. Make sure that the Source and Destination drives are attached to the device and the Talon Enhanced is turned on.

2. From the Main Screen, tap the Settings icon.

3. Tap the DD Image icon.

4. Tap the Mode icon and choose the configuration that is best suited for your capture session.

NOTE: See the Optional Preference Settings section of this chapter for more information on the Mode setting.

5. Scroll through the other optional preferences Verify, File Size, On Error, Speed, Word List, and Modify List. Modify them as needed by tapping the different settings for each.

NOTE: See the Optional Preference Settings section of this chapter for more information on these preference settings.

6. Press the START/STOP button twice.

NOTE: If you have used E01 mode in a capture session immediately prior to this capture session the following message will appear:

“Need to reconfigure, continue?”

Tap the YES icon to continue. This process takes 45- 60 seconds. When the Talon Enhanced finishes reconfiguring, a message will appear:

“Reconfiguration COMPLETED. Press any key to continue”.

Press any of the three buttons below the touch screen to continue.

7. The following message will appear: “Continuing will overwrite a portion of your destination drive(s). Are you sure?” Tap YES.

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

NOTE: The Destination drive needs to be formatted before data capture is possible. If it hasn’t been formatted yet, or if the drive format is different from the saved setting (FAT32 vs. NTFS), a prompt will come up. Tap YES to format the drive. A confirmation prompt will appear confirming that you want to continue. Tap YES to begin formatting the Destination drive.

See Chapter 4: Other Modes for more information on managing the Destination drive.

8. The next screen prompts you to enter a Case file name using the keypad. For a DD Capture, the character limit is 195 characters except when using Spanning mode (S1 => D1 + D2) which has a character limit of 193 characters.

NOTE: If a Case file already exists on the destination drive (i.e. from a previous DD Image capture) the unit will not allow you to enter the same file name again.

NOTE: If the file system on your Destination drive differs from the File System setting, you will be prompted with the following message:

“D1 File System is different from setting! Would you like to change setting(No) or reformat(Yes)?”

Choosing (No) will abort the capture. Choosing (Yes) will format the destination drive based on the File System setting. For more information, see the File System section in Chapter 4: Other Modes.

9. A sub-directory (by the same name) will be created under the root directory on the destination drive.

10. The capturing process will create as many files as necessary within this sub-directory, with increasing extension numbers (e.g. my_disk.001, my_disk.002, etc.)

11. At the end of the process, a file with the .log extension is created and placed in the same sub-directory. The file is also written to the System CF card. It includes (among other things), the SHA-256 and MD5 Hash values of all captured DD files or the entire Source Drive. Refer to the Special Settings section later in this chapter.

12. If Auto Print was set to “Yes” in the Misc. menu, you will be prompted to connect the printer and make sure that it is powered up and online. Press SET to print or BACK to skip printing.

NOTE: Please refer to the “Printing a Reportsection later in this chapter for more printing options.

13. The capture ends with a “DD Capture Successful!message. It also displays the SHA-256 and MD5 Hash values for the Source and Destination drives together when Verify setting is set to Disk or Disk + V.

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

Special Settings for DD Image Mode

The settings below are unique to the DD Image Capture mode:

VerifyThe settings below are unique to the DD Image Capture mode: For DD Image Mode, the

For DD Image Mode, the Verify Setting has some optional settings which are not available in any other mode. The settings available in DD Image mode are:

NONE – No verification. This setting is only recommended for non-Forensic cloning operations. No verification. This setting is only recommended for non-Forensic cloning operations.

NOTE: Without verification, bad or weak sectors on the Destination drive will not be detected. This could cause the copy to be invalid.

File - This is the default setting for verification and uses special hardware to compute SHA-256 and This is the default setting for verification and uses special hardware to compute SHA-256 and MD5 values for each individual DD Image file.

File + V - This setting behaves like File, except that it also reads back captured data and compares This setting behaves like File, except that it also reads back captured data and compares it to the Source drive.

Disk - This setting uses special hardware to compute the SHA-256 and MD5 values for the entire This setting uses special hardware to compute the SHA-256 and MD5 values for the entire Source drive.

Disk + V- This setting behaves like Disk, except that it also reads back captured data and compares This setting behaves like Disk, except that it also reads back captured data and compares it to the Source drive.

File Sizeback captured data and compares it to the Source drive. This setting allows the user to

This setting allows the user to choose the size of captured DD Image files. The choices are:

650MB – Image files of this size can be archived on a CD-ROM. Image files of this size can be archived on a CD-ROM.

2GB – Image files of this size can be archived on Flash Memory cards or Thumb Image files of this size can be archived on Flash Memory cards or Thumb Drives.

4GB – Image files of this size can be archived on larger Flash memory / USB Image files of this size can be archived on larger Flash memory / USB drives or a DVD-ROM.

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS DRIVE – This selection will create a single DD image file. The

DRIVE This selection will create a single DD image file. The size of the file depends on the size of the Source drive captured.

Loading DD Image files into a Forensic Investigative Tool

Once the DD Image files are captured to a Destination drive, they can be easily loaded into a Forensic Investigative tool that supports DD Images. Consult your software’s manual for more information.

1. Attach the Talon Enhanced to the PC via the USB or eSATA, (please refer to Chapter 6. USB and eSATA Ports).

2. Load the DD Image into your software as per the software manufacturer’s instructions.

NOTE: If there is an option for the number of “Bytes per sector”, set it to 512. Also, some software may ask to mount a drive as either “physical” or “logical”. If your software gives you this option, select “physical”.

your software gives you this option, select “physical”. E01 Image – Step-by-Step The E01 option captures

E01 Image Step-by-Step

The E01 option captures hard disk drives directly into the E01 format. The evidence or destination drive can then be easily uploaded to the analysis software in a ready-to-analyze state. This eliminates the time-consuming conversion step that users typically must perform.

Note: At this time, the E01 Image format is supported with Encase v6.x and Forensic Toolkit (FTK) v3.x.

supported with Encase v6.x and Forensic Toolkit (FTK) v3.x. 1. Make sure that the Source and

1. Make sure that the Source and Destination drives are attached to the device and the Talon Enhanced is turned on.

2. From the Main Screen, tap the Settings icon.

3. Tap the E01 Image icon.

4. Tap the Mode icon and choose the configuration that is best suited for your capture session.

NOTE: See the Special Settings for E01 Image Mode section of this chapter for more information on these preference settings.

5. Scroll through the other optional preferences Verify, and On Error. Modify them as needed by tapping the different settings for each.

NOTE: See the Special Settings for E01 Image Mode section of this chapter for more information on these preference settings.

6. Tap the Setting icon to go to the E01 Setting Menu.

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

7. To enter any notes or to select the Info Show icon press D1 or D2 respectively depending on which Destination drive(s) you are working on.

8. Press the START/STOP button twice.

NOTE: If you have used a mode other than E01 in a capture session immediately prior to this capture session the following message will appear:

“Need to reconfigure, continue?”

Tap the YES icon to continue. The process takes 45-60 seconds. When the Talon Enhanced finishes reconfiguring, a message will appear:

“Reconfiguration COMPLETED. Press any key to continue”.

Press any of the three buttons below the touch screen to continue.

9. The following message will appear: “Continuing will overwrite a portion of your destination drive(s). Are you sure?” Tap YES.

NOTE: If the file system on your Destination drive differs from the File System setting, you will be prompted with the following message:

“D1 File System is different from setting! Would you like to change setting(No) or reformat(Yes)?”

Choosing (No) will abort the capture. Choosing (Yes) will format the destination drive based on the File System setting. For more information, see the File System section in Chapter 4:

Other Modes.

10. The next screen prompts you to enter a Case file name using the keypad. For an E01 Image Capture, the character limit is 195 characters except when using Spanning mode (S1 => D1 + D2) which has a character limit of 193 characters.

NOTE: If a Case file already exists on the destination drive (i.e. from a previous E01 Image capture) the unit will not allow you to enter the same file name again.

11. A sub-directory (by the same name) will be created under the root directory on the destination drive.

12. The capturing process will create as many files as necessary within this sub-directory, with increasing extension numbers (e.g. my_disk.e01, my_disk.e02, etc.)

13. At the end of the process, a file with the .log extension is created and placed in the same sub-directory. The file is also written to the internal Flash memory. It includes

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

(among other things) the MD5 Hash values of all captured E01 Image files.

14.

If Auto Print was set to “Yes” in the Misc. menu, you will be prompted to connect the printer and make sure that it is powered up and online. Press SET to print or BACK to skip printing.

NOTE: Please refer to the “Printing a Reportsection later in this chapter for more printing options.

15.

The capture ends with an “E01 Capture Successful!” message. It also displays the MD5 Hash values for the Source and Destination drives together when Verify setting is set to Disk or Disk + V.

 

Special Settings for E01 Image Mode

The E01 selection choices for the settings Mode, Speed, Verify and On Error are different from the other modes. The selection choices are as follows:

Mode

S1=>D1 (Default)Mode

S1=>D1&D2choices are as follows: Mode S1=>D1 (Default) S1=>D1+D2 Speed Select UDMA-5 or UDMA-4 (Default is

S1=>D1+D2as follows: Mode S1=>D1 (Default) S1=>D1&D2 Speed Select UDMA-5 or UDMA-4 (Default is UDMA-5) Verify

Speed

Select UDMA-5 or UDMA-4 (Default is UDMA-5)Speed

Verify

Select DISK or DISK+VVerify

On Error Retry

Select Retry or AbortOn Error Retry

 

The remaining icons are specific to E01 and are explained below.

Segment Size

Select 1500M Byte or 4000M ByteSegment Size

Compression

Select YES or NOCompression

Setting

The Settings icon is used to add relevant case information using the keypad and must be entered for the capture to initiate:Setting

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

Case Number

Examiner

Time information (yyyy/mm/dd hh:mm)

Notes

Press the Notes icon to enter up to 64 characters of pertinent information using the keypad.Number Examiner Time information (yyyy/mm/dd hh:mm) Notes Press the SET button to save a note. Press

Press the SET button to save a note. Press the BACK button to leave the screen without saving a note.

Info Show

Pressing the Info Show icon will display the current case information that will be tied to the E01 capture report.button to leave the screen without saving a note. Info Show Sample E01 Info Case No:

Sample E01 Info

Case No: GFK008

Examiner: R_SMITH

Notes: Any notes you wish to add.

Timestamp: 200910141439

Printing a report

At completion of a capture, you might want to print a report. You must keep the Talon Enhanced powered on in order for it to retain the report information from the last session.

NOTE: A Brother MW-120 portable thermal printer is available for purchase from Logicube.

Printing with the Brother (thermal) Printer

1. Connect the Brother printer to the Talon Enhanced using the special serial cable included with the printer.

2. Power the printer using the printer power adapter.

CAUTION: Don’t confuse this power adapter with the Talon Enhanced power adapter. Press the power button on the printer until it lights up.

3. Make sure that the Brother printer is loaded with A7 size thermal paper. For paper loading instructions, refer to the Brother printer User Manual.

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

NOTE: Do not use plain paper in the Brother printer.

4. From the Talon Enhanced main screen, tap the Misc icon, then tap the Print Options icon.

5. Tap the Print Reports icon, and then tap the Print Last Session icon.

6. Follow the instructions on the screen. A report should now print.

Every operation performed with the Talon Enhanced also writes a copy of the report to the CF Card. This report can be easily accessed in Windows and printed from a text editor like Notepad.

Optional Preference Settings

All of the preference settings below are available for Mirror Capture and DD Image Capture modes. For E01 preferences, please see the section “Special Settings for E01 Image Modeearlier in this chapter.

Mode

The Mode option allows the Talon Enhanced to be configured to capture from 1 Source drive to 1 or 2 Destination drives.

S1 (Source 1) to D1 (Destination 1) This mode allows one Source drive to be captured to one Destination drive. This is the default mode setting.S1 (Source 1) to D1 (Destination 1) –

S1 to D1 and D2 This captures the contents of one Source drive to two Destination drives. This is ideal for making a copy to keep in evidence and an extra copy for investigation.S1 to D1 and D2 –

S1 to D1 + D2 This image Spanning mode is available with DD image capture and E01 image capture. This mode allows you to capture from one large suspect drive and span DD or E01 images to two smaller evidence drives. Any subsequent DD or E01 capture performed using this mode will be added provided drive space is available. Case data is not overwritten.S1 to D1 + D2 –

NOTE: A very fast free space check enhancement has been incorporated into the latest software and firmware release. Check your Talon Enhanced frequently to ensure you benefit from these enhancements.

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

Verify CAPTURE MODES AND SETTINGS The Verify option is provided to add an increased level of confidence

The Verify option is provided to add an increased level of confidence in the capture process. The choices are: HASH, HASH + V and NONE.

HASH – This setting uses special hardware to compute 256-bit SHA-256 and 128-bit MD5 values at This setting uses special hardware to compute 256-bit SHA-256 and 128-bit MD5 values at an extremely fast and accurate rate.

HASH + V – This setting behaves like HASH , except that it also reads back captured data This setting behaves like HASH, except that it also reads back captured data and compares it to the Source drive in 50MB chunks. This setting is recommended to ensure the accuracy of the hash values.

NOTE: The “+ V” settings will double the cloning time of a capture session.

NONE – No verification. This setting is only recommended for non-Forensic cloning operations. No verification. This setting is only recommended for non-Forensic cloning operations.

NOTE: Without verification, bad or weak sectors on the Destination drive will not be detected. This could cause the copy to be invalid.

Speednot be detected. This could cause the copy to be invalid. The speed setting provides the

The speed setting provides the option to set the speed at which an operation will be performed at.

UDMA-6 – The software performs a test procedure to determine the fastest setting that the drives The software performs a test procedure to determine the fastest setting that the drives will tolerate while streaming data from one to the other.

When set to UDMA-6, all speeds grades below will be tested (i.e. UDMA 0-6, PIO-AUTO PIO-PIO Medium and PIO-SLOW).

UDMA-5 – With UDMA-5 selected, the software performs a test to determine the fastest speed setting With UDMA-5 selected, the software performs a test to determine the fastest speed setting that the drives will tolerate while streaming data from one drive to another.

When set to UDMA-5, all lower speed grades will be tested (i.e. UDMA 0-4, PIO-AUTO PIO-PIO Medium and PIO-SLOW)

UDMA-4 – Force the unit to use at most this speed. Set the unit to this Force the unit to use at most this speed. Set the unit to this mode in some rare situations where one or both drives do not support the higher speeds, and “misbehave” during our automatic speed benchmarking.

UDMA-3 – Same as UDMA-4. Same as UDMA-4.

UDMA-2 – Same as UDMA-4. Same as UDMA-4.

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

UDMA-1 – Same as UDMA-4. Same as UDMA-4.

UDMA-0 – Same as UDMA-4. Same as UDMA-4.

PIO-Auto (PIO-4) – Force the unit to use this as the highest speed (PIO-4). Set the (PIO-4) Force the unit to use this as the highest speed (PIO-4). Set the unit to this mode in some rare situations where one or both drives do not support higher speeds, and “misbehave” during our automatic speed benchmarking.

PIO-Medium – This is a fixed value that almost all drives will tolerate. It will result This is a fixed value that almost all drives will tolerate. It will result in copying speeds from about 200 to over 500 MB per minute depending upon the characteristics of the drives.

PIO-Slow – This is a speed value that all drives will be able to tolerate. It This is a speed value that all drives will be able to tolerate. It supports copying speeds from 100 to over 300 MB per minute depending on the characteristics of the drives.

NOTE: Use the MEDIUM or SLOW modes if you encounter drive “time-outs” or if you are capturing very old drives.

“time - outs” or if you are capturing very old drives. On Error The On Error

On Error

The On Error setting determines the behavior of the unit in the case where bad spots are detected on the source (suspect) drive. This setting has four options, which include:

Skip – This is the default setting. Skip will allow the Talon Enhanced to continue by This is the default setting. Skip will allow the Talon Enhanced to continue by stepping over the bad sector.

Abort – This mode will cause the Talon Enhanced to halt if an error such as This mode will cause the Talon Enhanced to halt if an error such as a bad suspect drive sector is encountered.

Retry – Retry will instruct the Talon Enhanced to make several attempts to read data from Retry will instruct the Talon Enhanced to make several attempts to read data from the damaged area of the drive. The user can configure the number of retry attempts from 0 to 1000 by pressing the Retries icon under Misc. to set the desired value.

Recover – Recover will attempt to recover as many bytes of data as possible from each Recover will attempt to recover as many bytes of data as possible from each bad sector that is encountered

NOTE: Data in any skipped sectors will NOT be copied to the destination drive. The corresponding sector of the Destination drive will instead be “padded” with zeroes. The padded sector will then be included in the final SHA-256 and MD5 values.

ADDITIONAL NOTE: The absolute location of each skipped sector will also be listed on the final Capture Report. The first 200 bad sectors will be recorded, after which the unit will

CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

continue to skip bad sectors but it will not record their absolute locations. The final capture report will show the total number of sectors skipped.

Time to

complete

Option

Action

Abort

A bad sector aborts the cloning operation

Immediate

Skip (default)

Skips the bad sector

Fast

Retry

Attempts several retries to recover data of sector, then skips

Slower

Recover

Attempts a full-blown recovery algorithm, then skips

Very slow

Table 1, Error settings

NOTE: When capturing a Source drive that is known to have many bad sectors, the speed should be set to PIO-AUTO. Also, if the drive is captured or scanned multiple times, the SHA- 256/MD5 Hash value of each session could differ. This is because some bad sectors will read intermittently.

Word ListThis is because some bad sectors will read intermittently. The Word List Option is described in

The Word List Option is described in more detail in Chapter 7: Keyword Searching.

Modify Listdescribed in more detail in Chapter 7: Keyword Searching . The Modify List Option is described

The Modify List Option is described in more detail in Chapter 7: Keyword Searching.

Capturing Data from HPA and DCO Configurations

Some PC manufacturers will employ a utility that creates a HPA or DCO configuration on a hard drive. These configurations are designed to change drive characteristics such as drive capacity, speed and other settings as they are reported to the PC BIOS.

CAPTURE MODES AND SETTINGS
CAPTURE MODES AND SETTINGS

CAPTURE MODES AND SETTINGS

HPA – Or Host Protected Area can limit the size of a hard drive, but it Or Host Protected Area can limit the size of a hard drive, but it can also change many other settings such as speed and S.M.A.R.T. status.

DCO – Or Device Configuration Overlay limits the size of a drive only. For example, a Or Device Configuration Overlay limits the size of a drive only. For example, a 60GB drive can be made to look like a 30GB drive to a PC.

The Talon Enhanced is able to unlock and capture data from both HPA and DCO configurations. The Talon Enhanced will then re-lock the DCO. HPA’s are relocked when the Source drive is hard-booted after capture.

The Final capture report is also able to report any HPA and/or DCO that is found.

The report only shows the existence of an HPA and if it was unlocked.

The report also shows the existence of a DCO and if it was unlocked and captured. It also lists the maximum LBA, size and speed setting of the DCO

HPA and DCO configurations can only be detected on the Source drive. They cannot be seen on the Destination drive. The following Modes are able to detect, unlock and work with data inside HPA and DCO configurations when the drive is in the Source position:

Drive InfoDCO configurations when the drive is in the Source position: Capture DD Image Capture Drive Defect

Capturewhen the drive is in the Source position: Drive Info DD Image Capture Drive Defect Scan

DD Image Capturewhen the drive is in the Source position: Drive Info Capture Drive Defect Scan Calc. HASH

Drive Defect Scanin the Source position: Drive Info Capture DD Image Capture Calc. HASH Keyword Search Talon Enhanced

Calc. HASHSource position: Drive Info Capture DD Image Capture Drive Defect Scan Keyword Search Talon Enhanced User’s

Keyword Searchthe Source position: Drive Info Capture DD Image Capture Drive Defect Scan Calc. HASH Talon Enhanced

4. Other Modes Introduction This chapter discusses other options that are found in the Settings

4. Other Modes

Introduction

This chapter discusses other options that are found in the Settings menu. They are Drive Defect Scan, Wipeclean™ Destination and HASH Scan. This chapter also discusses the options in the Misc Menu accessible from the Main Screen.

NOTE: Keyword Search and related settings are discussed in Chapter 7 and USB/eSATA Mode is discussed in Chapter 6.

Settings Menu Options

Mode is discussed in Chapter 6 . Settings Menu Options Drive Defect Scan This function performs

Drive Defect Scan

This function performs a surface scan of the drive media using the drive controller to verify the media. It is designed to look for bad sectors, weak sectors or weak spots, which it reports at the end of the scan.

Drive Defect Scan Step-by-Step

1. From the Main Screen, tap the Settings icon.

2. Tap the Drive Defect Scan icon.

3. Tap the “Drives” icon. Choose one of the following drives: S1, D1, or D2.

3. Tap the “Drives” icon. Choose one of the following drives: S1, D1, or D2. Press the Set button to confirm.

4. Tap the “Speed” icon. Here you have two choices:

4. Tap the “Speed” icon. Here you have two choices:

FAST (default): This mode does a single surface scan of the drive. (default): This mode does a single surface scan of the drive.

SLOW: This mode performs three surface scans in a row to better check for bad : This mode performs three surface scans in a row to better check for bad or weak sectors.

5. Press the START/STOP button to start the scan.

USB AND eSATA PORTS
USB AND eSATA PORTS

USB AND eSATA PORTS

6. The Talon Enhanced will access internal flash memory, then the following message will appear: “KEYPAD ENTRY: Enter Log file name. Press Set when done”.

7. Use the alphanumeric keypad to enter a Log file name of 8 characters or less. Press the Set button when finished.

8. When finished scanning, the Talon Enhanced will display the number of bad or weak sectors found on the drive. A copy of the session report will also be copied to the internal flash memory as <Log file name>.LOG.

9. If the Printer was set to “Auto Print”, the user will be prompted to connect the printer and make sure that it is powered up and online. Choose YES to print or NO to skip printing.

NOTE: Please refer to Chapter 3. Drive Capture Modes and Settings for more printing options.

Drive Capture Modes and Settings for more printing options. Wipe Destination This function is the process

Wipe Destination

This function is the process that erases or wipes all existing information from the surface of the Destination drive. It is a good idea to erase the drive prior to performing Mirror captures. It ensures that no old data remains on the drive, to be later confused as evidence. Note; information regarding performing a wipe to DoD specifications can be found in the Other Settings section under Manage Destination.

Many newer drives will also support Security Erase Mode, which is a much more automated process for wiping data. This mode sends “Security AT” commands to the Destination drive, which allows it to wipe at a very high rate of speed. The unit will automatically switch to Security Erase if it is supported by the attached drives.

NOTE: Security Erase will not run as part of a Mirror Capture session. Ordinary Wipeclean mode is used instead.

Wipe Destination Step-by-Step

1. From the Main Screen, tap the Settings icon to enter the Settings menu.

2. Tap the Wipe Destination icon.

3. Tap the “Drives” icon. Choose one of the following: D1, D2 or D1 &

3. Tap the “Drives” icon. Choose one of the following: D1, D2 or D1 & D2 to wipe both drives simultaneously.

4. Ta p the “Speed” icon to set the desired UDMA or PIO speed.

4. Tap the “Speed” icon to set the desired UDMA or PIO speed.

USB AND eSATA PORTS

USB AND eSATA PORTS
USB AND eSATA PORTS
USB AND eSATA PORTS 5. Set the Signature setting to the desired position, there are two

5. Set the Signature setting to the desired position, there are two choices:

YES (Default): Writes a small signature to the drive every 16,065 sectors (or every logical cylinder). (Default): Writes a small signature to the drive every 16,065 sectors (or every logical cylinder). During a later capture session, this signature tells the Talon Enhanced that the drive(s) have been correctly erased.

NO: Leaves the signature off the drive. The Talon Enhanced will not detect that the : Leaves the signature off the drive. The Talon Enhanced will not detect that the drive has been erased.

6. Press the <Start/Stop> button to begin wiping.

7. The Talon Enhanced will access internal flash memory, then the following message will appear: “KEYPAD ENTRY: Enter Log file name. Press Set when done”.

8. Use the alphanumeric keypad to enter a Log file name of 8 characters or less. Press the Set button when finished.

9. The Talon Enhanced will automatically detect whether or not the Destination drive will support a Security Erase. If not, then the Talon Enhanced will perform an ordinary Wipeclean operation based on the settings chosen by the user.

NOTE: Just before the wipe starts you may see a message on the UI that says “Set Dest PW to Spaces” This means that a Password key command has been sent to retrieve the security erase support status of the destination drive. No user action is required. If the Talon Enhanced performs a Security Erase, it will do a rough estimate of the Time Remaining. This estimate will appear on the progress bar while an “Elapsed Time” counter will count up the actual erase time.

NOTE: The Progress bar will appear to “hang” at 99% if the actual erase time is longer than the estimated time. The elapsed time counter will continue to run and the Status light will keep blinking until the wipe is finished.

10. When finished, the Talon Enhanced will display the following message “drive successfully erased”. A copy of the session report will also be copied to the internal flash memory as <Log file name>.LOG.

NOTE: The operation will abort with an error message if bad sectors are encountered on the Destination drive.

USB AND eSATA PORTS
USB AND eSATA PORTS

USB AND eSATA PORTS

USB AND eSATA PORTS HASH Scan 11. If the Printer was set to “Auto Print”, the

HASH Scan

11.

If the Printer was set to “Auto Print”, the user will be prompted to connect the printer and make sure that it is powered up and online. Choose YES to print or NO to skip printing.

NOTE: Please refer to Chapter 3. Drive Capture Modes and Settings for more printing options.

This mode computes the SHA-256 and MD5 Hash values for a given drive (S1, D1, or D2). It can also scan individual files (on the Destination Drive).

Hash Scan Step-by-Step

1.

2.

From the Main Screen, tap the Settings icon

to enter the Settings menu.

Tap the Hash Scan icon.

Tap the “Drives” icon. Choose one of the following drives: S1, D1, D2, File on D1 or File icon. Choose one of the following drives: S1, D1, D2, File on D1 or File on D2.

Tap the “Speed” icon to set the desired UDMA or PIO speed. icon to set the desired UDMA or PIO speed.

3.

4.

scanned, go to the “Size” setting. Use the keypad to enter a size in number ned, go to the “Size” setting. Use the keypad to enter a size in number of sectors. Press the Set button to confirm.

5.

If

a certain number of sectors need to be

6.

7.

Press the <START/STOP> button to begin the scan.

The Talon Enhanced will access the CF Card, then the following message will appear: “KEYPAD ENTRY: Use the alphanumeric keypad to enter a Log file name of 8 characters or less. Press the Select button when finished.

NOTE: The operation will abort with an error if sectors are found on the drive.

bad

8. When finished, the Talon Enhanced will display the SHA-256 and MD5 Hash values.

A copy of the session report will also be

copied to the CF Card as <Log file name>.LOG.

9. the Printer was set to “Yes”, the user will be prompted to connect the printer and make sure that it is powered up and online. Press SELECT to print or BACK to skip printing.

If

USB AND eSATA PORTS

USB AND eSATA PORTS
USB AND eSATA PORTS

NOTE: Please refer to Chapter3. Drive Capture Modes and Settings for more printing options.

Misc Menu Settings

and Settings for more printing options. Misc Menu Settings This section describes the settings that are

This section describes the settings that are available under the Misc Menu that can be accessed from the Main Screen.

Backlightthe Misc Menu that can be accessed from the Main Screen. Use this setting to turn

Use this setting to turn the Touch Screen’s backlight on and off. This setting is useful for seeing the Touch Screen in low light conditions. The default setting is OFF.

Authenticate TrailScreen in low light conditions. The default setting is OFF. This mode is used to verify

This mode is used to verify the authenticity of a report that has been written to the internal flash memory. It is designed to check the report for alteration. It verifies a proprietary Hash value that is written to the end of each report at the time of creation.

Procedure

1. From the Main Screen, tap the Misc icon.

2. Tap the Authenticate Trail icon.

3. The Talon Enhanced will display a list of the Log files that are on the internal flash memory.

4. Tap the desired Log file and press OK.

5. If the report has not been altered, the message will read “Log file authenticated. Press any key to return”.

6. If the report has been altered in any way, the message will read “Log File not authenticated. Press any key to return”.

7. Press the Back icon to return to the Main Screen.

Manage Settings7. Press the Back icon to return to the Main Screen. This icon brings up a

This icon brings up a series of icons that allow you to adjust, save and reset various default settings.

USB AND eSATA PORTS
USB AND eSATA PORTS

USB AND eSATA PORTS

USB AND eSATA PORTS Contrast Use this setting along with the two Up Down arrow icons

ContrastUSB AND eSATA PORTS Use this setting along with the two Up Down arrow icons to

Use this setting along with the two Up Down arrow icons to increase or decrease the Touch Screen’s Contrast setting to your desired preference. The contrast setting will be retained in memory by pressing the OK icon.

Save Settingssetting will be retained in memory by pressing the OK icon. Use this icon to save

Use this icon to save current configuration settings. Settings that can be saved through power recycle are: Mode, Speed, Verify, On Error, Contrast, Wipe Signature ON/OFF and Defect Scan Speed Fast or Slow.

Factory SettingsWipe Signature ON/OFF and Defect Scan Speed Fast or Slow. Changes all adjustable settings to the

Changes all adjustable settings to the default factory settings.

Manage Destination

This menu is used to prep the Destination drive(s) prior to running a DD Image or E01 Image capture. The settings available are:

a DD Image or E01 Image capture. The settings available are: Format Destination – This function

Format Destination This function allows you to format a Destination drive and also select the type of formatting to be performed on the Destination Drive(s). There are three options in this menu:

Format D1 This option will format the drive connected to D1. The drive will be formatted either NTFS or FAT32 depending on the Format setting below.

Format D2 This option will format the drive connected to D2. The drive will be formatted either NTFS or FAT32 depending on the Format setting below.

Format This option has two settings:

NTFS This formats the drive(s) with a single partition using the NT File System (NTFS). This is the default setting.

FAT32 This formats the drive(s) with a single partition using the FAT32 file system.

USB AND eSATA PORTS

USB AND eSATA PORTS
USB AND eSATA PORTS

When Format D1 or Format D2 is selected, the following prompt appears:

“Reformatting the Drive D1! All data on your Internal Drive will be lost! Continue?”

D1 will be replaced by D2 if Format D2 was chosen.

By choosing <Yes>, Talon Enhanced will format the drive.

By choosing <No>, the display show an error. Tap the <Back> button to go back to the Format Destination menu.

Scan Disk This function checks the Destination Drive for proper formatting. It functions much like Microsoft Windows Scandisk or Chkdsk.Scan Disk –

Choose <Yes> to run Scan disk. After 30 seconds, it will display a list of errors, if any.

DoD Wipe – In compliance with DoD M-5220, the Talon Enhanced will wipe either destination as follows: In compliance with DoD M-5220, the Talon Enhanced will wipe either destination as follows: The drive will be wiped with all 0’s followed by all 1’s THREE consecutive times; after this the final value of 0xF6 will be written to all locations on the drive. To summarize, the Talon Enhanced will write the following 7 patterns to all the locations on the destination drive: all 0’s, all 1’s, all 0’s, all 1’s, all 0’s, all 1’s, 0xF6

Browse Destination – If the Destination drive is formatted with a FAT32 or NTFS partition, Browse Destination If the Destination drive is formatted with a FAT32 or NTFS partition, Browse Destination will allow the user to navigate directories on the drive. It will also show the size of files on the drive. Use the Arrow and Select icon to navigate the directories.

Use the Arrow and Select icon to navigate the directories. Print Options This mode is used

Print Options

This mode is used to print reports directly from the Talon Enhanced through the serial port. This menu is used to prep the Destination drive(s) prior to running a DD Image capture. The settings available are:

to running a DD Image capture. The settings available are: Eject Page This function sends a

Eject Page

This function sends a form feed signal to the printer. This function may be required to load paper in some printers.

USB AND eSATA PORTS
USB AND eSATA PORTS

USB AND eSATA PORTS

USB AND eSATA PORTS Print Report This function is used to manually print a report after

Print Report

This function is used to manually print a report after a capture session. It also prints different reports associated with Keyword Search.

Print Last Session This function prints the report from the last performed session (drive capture, defect scan, wipe, etc.). It is not able to print reports prior to the last session.Print Last Session –

Print Search Detail This function prints all of the found keywords from the last keyword search as well as their absolute locations on the Source drive.Print Search Detail –

NOTE: For more information, please refer to Chapter 7: Keyword Searching.

Print Search Text – This function prints a fragment of text before and after each found keyword. This This function prints a fragment of text before and after each found keyword. This allows each keyword to be viewed in context.

NOTE: For more information, please refer to Chapter 7: Keyword Searching.

information, please refer to Chapter 7: Keyword Searching . Auto Print (After Capture) This function tells

Auto Print (After Capture)

This function tells the Talon Enhanced to print a report after the next capture session. It can be set to YES or NO (default).

Debugnext capture session. It can be set to YES or NO (default). Use this setting to

Use this setting to turn the Debug reporting tool on and off. This setting is used in conjunction with the Serial Port and a terminal link program. The default setting is OFF. Debug should only be turned on when the user is directed to do so by Logicube Technical Support.

Beeperthe user is directed to do so by Logicube Technical Support. Use this setting to turn

Use this setting to turn the beeper on and off. This setting is useful when in “stealth” mode or in an environment that requires no noise. The default setting is OFF. Any change to the setting is preserved after power off.

USB AND eSATA PORTS

USB AND eSATA PORTS
USB AND eSATA PORTS

Audio Notice USB AND eSATA PORTS Use this setting to provide an audible beep if the data capture

Use this setting to provide an audible beep if the data capture has been completed successfully. A different audible beep will occur to alert the user that the capture has encountered an error. This beep will sound with a 50% duty cycle for approximately 2 minutes or until the user acknowledges the error via the user interface. The default setting for Audio Notice is OFF. Once enabled the Talon Enhanced will retain the setting last used prior to power recycle.

Securitywill retain the setting last used prior to power recycle. This feature provides the user with

This feature provides the user with a password-based security system (based on the ATA security specification T13) to protect their data from unauthorized access.

This feature has two security levels; High or Maximum and the ability to set a Master along with a User password. The Master password is typically used by an administrator this password is kept secret from the user and may be used to unlock the device if the User password is lost. If High security is selected the drive can be unlocked for use with either the User or Master password. Under Maximum security mode the drive can only be unlocked with the User password.

NOTE: Not all hard drive models support the Secure Lock function. Make sure the drives you are using support the ATA lock command. See the Get Security Level feature defined below for information on how to determine if a particular drive supports the ATA lock command.

The security system is enabled by sending a user password to the device. When the security system is enabled, access to user data on the drive is denied after a power cycle until the User password is sent to the device with the Unlock command.

Note: Passwords should be limited to 16 characters or less. Password entry confirmation has been implemented.

WARNING! Please be very careful when entering passwords so you are not inadvertently locked out of any drives permanently.

The security menu is accessed from the Preferences Settings Menu under Misc. (Press the “More” button to see the Security icon). The Security menu contains the following options:

icon). The Security menu contains the following options: High Security When selected the drive can be

High Security

When selected the drive can be set to lock with User and then the Master password. In High security mode, the Master password should be entered after the User password.

USB AND eSATA PORTS
USB AND eSATA PORTS

USB AND eSATA PORTS

Maximum SecurityUSB AND eSATA PORTS This security setting can only be set to lock by the User

This security setting can only be set to lock by the User password.

Typesetting can only be set to lock by the User password. This setting determines which user

This setting determines which user is currently accessing the drive and which password will be used to lock/unlock the drive. The choices are Master or User.

If Master password is selected ;

When selected, the user is prompted to select the location of the hard disk drive that will be locked, either S1, D1 or D2. Next the user will be prompted to enter the password to be assigned. Passwords can be alphanumeric, are case sensitive and should be limited to 16 characters or less The user will be asked to enter the password a second time and once the operation has been completed the user will see the following message:are Master or User. If Master password is selected ; Set Password Setting drive (XX) Master

Set Password

Setting drive (XX) Master password is successful!

When selected, the user is prompted to select the location of the hard disk drive to unlock, either S1, D1 or D2. Next the user will be prompted to enter the password to unlock the drive. When the operation has been completed the user will see the following message:Password Setting drive (XX) Master password is successful! Unlock Password Unlocking drive (XX) Master password is

Unlock Password

Unlocking drive (XX) Master password is successful!

Note: This unlock is temporary and the user can access the drive only once. The password will need to be reentered every time you want access to the drive even if you don’t cycle the power of the Talon Enhanced.

If User password is selected ;

Set Passwordyou don’t cycl e the power of the Talon Enhanced. If User password is selected ;

USB AND eSATA PORTS

USB AND eSATA PORTS
USB AND eSATA PORTS

When selected, the user is prompted to select the location of the hard disk drive that will be locked, either S1, D1 or D2. Next the user will be prompted to enter the password to be assigned. Passwords can be alphanumeric, are case sensitive and should be limited to 16 characters or less. The user will be asked to enter the password a second time and once the operation has been completed the user will see the following message:

Setting drive (XX) User password is successful!

message: Setting drive (XX) User password is successful! Unlock Password When selected, the user is prompted

Unlock Password

When selected, the user is prompted to select the location of the hard disk drive to unlock, either S1, D1 or D2. Next the user will be prompted to enter the password to unlock the drive. When the operation has been completed the user will see the following message:

Unlocking drive (XX) User password is successful!

Note: This unlock is temporary and the user can access the drive only once. The password will need to be reentered every time you want access to the drive even if you don’t cycle the power of the Talon Enhanced.

Geteven if you don’t cycle the power of the Talon Enhanced. To initialize the Get update

To initialize the Get update the user must recycle system power after any setting change. Get will access hard disk drive security infromation for one user selectable drive; S1, D1 or D2. The feature reports the security settings that are implemented on the selected drive. For example:

Security supported

Yes

Security enabled

Yes

Security locked

Yes

Security frozen

Yes

Count expired

Yes

Security level

High

DisabledYes Count expired Yes Security level High This option will permanently remove any previous security

This option will permanently remove any previous security feature passwords from the hard disk drive, allowing anyone access to the drive even after drive power is recycled. Users can select one drive at a time to disable, either

USB AND eSATA PORTS
USB AND eSATA PORTS

USB AND eSATA PORTS

S1, D1, D2. In high security mode the security feature can be disabled using either the User or Master password.

be disabled using either the User or Master password. SCSI/SAS Adapter The SCSI and SAS Adapters

SCSI/SAS Adapter

The SCSI and SAS Adapters are designed to attach directly to the Talon Enhanced. These optional adapters can be purchased from Logicube, the SAS Adapter is included in the Talon Enhanced Field ToughKit. Contact the Logicube Sales Department for more information.

Functionally each adapter acts like a pass through device and allows for external connection and capture of SCSI and or SAS source drives through the PATA (IDE) port of Talon Enhanced.

Info is used to display the Serial Number and current Firmware, BIOS, Kernel and Software revisions for the SCSI or SAS adapter you have connected to the source position of Talon Enhanced.source drives through the PATA (IDE) port of Talon Enhanced. BIOS Upgrade is used to upgrade

BIOS Upgrade is used to upgrade the BIOS of the adapters PCB assembly.you have connected to the source position of Talon Enhanced. Kernel Upgrade is used to upgrade

Kernel Upgrade is used to upgrade the OS of the adapter.is used to upgrade the BIOS of the adapters PCB assembly. FPGA Upgrade is used to

FPGA Upgrade is used to upgrade the Firmware of the adapters PCB assembly.Kernel Upgrade is used to upgrade the OS of the adapter. The Application Upgrade icon is

The Application Upgrade icon is used to upgrade the Capture Application for both the SCSI and SAS adapters. This update will most likely to be performed more frequently than those listed above.used to upgrade the Firmware of the adapters PCB assembly. Performing SAS and SCSI Adapter Updates

Performing SAS and SCSI Adapter Updates

It’s good practice to occasionally verify that your Adapter is running the current BIOS, Kernel, Firmware and Software Application. This is not something that will need to be updated frequently.

The Application Upgrade icon is used to upgrade the Capture Application for the both adapters. This update will most likely to be performed more frequently than those listed above.

Press the following icons in succession to display a list of the current programming installed in the attached adapter:

USB AND eSATA PORTS

USB AND eSATA PORTS
USB AND eSATA PORTS

Misc. more

USB AND eSATA PORTS Misc. more A list will display showing which version of BIOS, Kernel,

A list will display showing which version of BIOS, Kernel, FPGA (Firmware) and Application Software currently installed in the adapter.

Sample Info list:

Serial number: 1 Firmware Rev: 101 Bios Rev: 150 Kernel Rev. 200 Software Rev: 302

Compare the versions in your list to the current versions posted and available on the Logicube website. If updates are necessary download the files that need updating from www.logicube.com/support Select product F- ADP-SAS or F-ADP-SCSI and the applicable download links will be visible. The download files are in ZIP format. Unzip the contents to the root directory of a USB flash drive then follow the update instructions starting at step 1 below.

NOTE: The USB port on the adapter is used to update all Adapter programming even if the USB port cloning option has not been purchased and enabled.

The following are Step-by-Step instructions on how to update Adapter BIOS using the Talon Enhanced. Kernel, FPGA and Software are updated similarly.

1. Disconnect the power supply cord from the Logicube Hard Disk Drive capture device.

2. Locate the PATA (IDE) ribbon cable P/N CBL-037B and plug the end labeled HDD SIDE into the adapter port marked IDE CONNECTOR IN.

3. Connect the other side of the ribbon cable labeled DUPLICATOR SIDE to an external IDE port on the Logicube capture device you are using.

4. Locate the cable labeled CBL-002B and connect the end with the large white plug to the mating receptacle next to the PATA (IDE) ribbon cable on the adapter.

5. Connect the other side of the CBL-002B to the external power port of the

USB AND eSATA PORTS
USB AND eSATA PORTS

USB AND eSATA PORTS

Logicube capture device. Use the power port closest to the ribbon cable.

6. Copying the files to be updated to the root directory of a USB flash drive. Updated files are located at www.logicube.com/support Select product F-ADP-SAS or F-ADP-SCSI and the download links will be visible.

7. Insert the USB flash drive into the adapter USB port.

8. Insert the power supply cord to power the duplication device.

NOTE: The remaining steps provide instructions to update BIOS but are also applicable for updating Firmware, Kernel and Software.

also applicable for updating Firmware, Kernel and Software. 9. Press Misc. more 10. Enter the password

9. Press Misc. more

10. Enter the password logicube in lower case.

11. You will be prompted to enter a revision number. If this example it is the current BIOS revision number. This and all current revision numbers are provided in the readme.txt file that accompanied the previously downloaded update files. As of this writing the value for Bios Revision is 150. Entering an incorrect revision value will cause the process to error out.

12. Enter the current revision for the respective item you are updating. If the revision number matches the excepted number the update process will begin.

NOTE: It is imperative that power be maintained throughout the SAS adapter update.

NOTE: Please refer to Section 8: Optional Peripherals for information regarding use of the optional SCSI/SAS adapters.

information regarding use of the optional SCSI/SAS adapters. Retries Use this setting to set the number

Retries

Use this setting to set the number of “read/write error” retry attempts from 0 to 1,000. Use the keypad on the Talon Enhanced to set the number. The default setting is 50.

USB AND eSATA PORTS

USB AND eSATA PORTS
USB AND eSATA PORTS

Install Options USB AND eSATA PORTS As optional features become available, use the install options icon to activate

As optional features become available, use the install options icon to activate purchased options by pressing Misc. and the Install Options icon on Talon Enhanced.

Enter the alphanumeric option code provided at time of optional purchase using the touch screen display. The option will automatically become available.

NOTE: New and improved Talon Enhanced software will appear from time to time on our web site located at www.logicube.com. Verify your software is up to date by comparing the software revision on the Logicube website with the software revision listed under About on the main menu.

File Systemthe software revision listed under About on the main menu. This function allows you to select

This function allows you to select the file system used for Destination drives. If the file system on your Destination drive differs from this setting, you will be prompted with the following message:

“D1 File System is different from setting! Would you like to change setting(No) or reformat(Yes)?”

The two choices for the type of formatting are:

NTFS This formats the drive(s) with a single partition using the NT file system (NTFS). This is the default setting.

FAT32 This formats the drive(s) with a single partition using the FAT32 file system.

Languageswith a single partition using the FAT32 file system. This function allows either English or Chinese

This function allows either English or Chinese (simplified or Traditional) characters on the Talon Enhanced display. Each selection has an option for YES or NO.

From the Main Talon Enh

tap the More icon twice, and finally tap the Languages icon. The following choices will appear:

anced menu, tap the Misc icon, then